Claude for Chrome click flaw lets other extensions act
🔒 Manifold Security found that Claude for Chrome still accepts synthetic clicks and can read permission mode from its URL, enabling other extensions with DOM access on claude.ai to trigger nine allowlisted tasks (including Gmail, Google Docs, and Calendar). Anthropic constrained arbitrary prompts after ClaudeBleed, but the click handler lacks an event.isTrusted check and the side panel honors ?skipPermissions=true, creating high-risk scenarios especially if "Act without asking" is enabled. Manifold reported this in May against v1.0.72; the issues remained in v1.0.80 as of July 7 and no patch or public advisory was available by July 14.
